Much like the railroads in the early 19th century, networks have become the life blood of many of today's businesses and business models. The ability to affect efficient secure information exchange often determines the success or failure of a business proposition, deal, or sale. The technology of the internet has demonstrated the power of not only sharing information, but the impact that it can have on entire business ecosystems when the information is available in a low cost distribution model, that includes the power for network participants to securely publish items for consumption to a broad network community. This secure publication capability is a key differentiator and business driver. We have all seen the impact of the Internet, which is arguably the largest IP network in the world. The combination of low cost of entry, ambiguous connectivity, and the power it places in the hands of the end user, the internet has had an impact on nearly every industry and business ecosystem.
However, as with all good things, there are drawbacks and networked communications is no exception. As the dependency on networks has become greater so has the impact of outages, security breaches, malicious activities, and cost of support. In fact, as the value of information increases so does the interest in criminal activity. As a result, the Internet anarchy that persists today has all but eliminated it as a useful mechanism for mission critical business activities. This anarchy is largely the result of a lack of a business reporting infrastructure, and the lack of a consistent implementation for comprehensive end to end security that at a minimum includes integrated authentication, authorization, encryption, and end to end logging.
In today's networked world, companies have leveraged Internet technology to create vast private IP networks that rely on IP addressing and filtering for perimeter security. Not long ago, as the number of users was relatively small, it was not difficult to secure a private IP network using traditional routers, firewalls, and switches to form a perimeter security barrier. However, with the proliferation of users and devices to the tens of thousands and over a world wide geographical footprint, companies and network providers find themselves faced with a security nightmare that has a fatal characteristic. That fatal characteristic is the fact that as the number of participants grows there is a parallel relationship between cost and risk, where cost goes up with risk, and risk goes up with the number of participants, number of functions/applications on the network.
The reason for this nightmare is the result of a few basic characteristics in how networks are created and managed. The first is the fact that by default they employ an optimistic security model. One in which the default is to “allow-all” and “then restrict” or take privileges away through perimeter security. The second is the fragmented implementation of security across the network and applications. Some approaches rely on a private network, other rely on application connected to the network, and most rely on an inconsistent mix of both.
The technology and market has evolved with two distinct segments. One is around networking and traditional perimeter security, and the other is around applications and business functionality. The result is that there is a significant separation and variations in implementation of critical components of security across the layers of the OSI stack with no consistent integration for security and business reporting. The internet has done a great job of standardizing network connectivity, but does not address comprehensive security or business reporting. Everyone does it in their unique way and/or relies on the other for security. The result is businesses are driven to private application or function specific networks in order to guarantee security and control.
The result today is that networked application security is dependent on several critical elements that are not consistently implemented or managed as an aggregated solution or system for a shared participant environment. Today, assuming a multifunction networked solution, security is only as good as the worst combination (weakest link) of implementation approaches whether it be in one of many applications or in any elements of the perimeter security around the network or one of its segments. At the lower traditional network levels your network is only as secure your weakest network on-ramp and once someone is on the network there is a very limited capability to know who they are or what they are doing.
Current approaches to addressing these issues are focused on more complex versions of the same approaches. Users are forced to implement private dedicated networks that are application or function specific, point to point, and managed as islands of secure network infrastructure where a key element of the security approach is to limit activity or users through single or centralized control. These approaches are costly and severely limit participants on the network as well as networked applications. Examples include the many private and function specific networks in banking today (Visa, ACH, ATM, Fed Wire, etc.,) the traditional EDI implementations where point to point connections are used for EDI transmission between two parties, and the many networks used in the securities, insurance, medical, legal, and educational business verticals that perform limited functions and have a restricted participant base.
The artifacts needed to support a basic business relationship and enforce a business contract for reliable mission critical network business includes many security elements. They include but are not limited to: (1) authentication—I know who I am doing business with; (2) authorization—know who you are and can enforce that you are authorized to do what you are attempting to do and nothing else; (3) privacy—I can keep private a participant's activity or existence from others that are not authorized to have knowledge of that activity or existence; (4) end to end audit—I can track all activity to the user and activity level and provide a record of the activity (who did what to whom and when); (5) reporting—I collect and report on data in a manner needed to support SLA enforcement, billing, dispute resolution, activity and operational planning; (6) non-repudiation—I can support that an activity happened and that it is unique to the participants. Information such that I can assure one's inability to deny the integrity and authenticity of an action or activity; (7) end to end encryption—I can protect the information being exchanged such that it is only viewable to the authorized participants.
Today there are many pieces of technology available to implement each of these artifacts, but, there is no integrated solution offering that allows the implementation, management, provisioning, and business reporting on these elements as a function of a virtual network connection and/or a virtual network topology.
An alternate approach would be to enforce all security within the applications attached to the network. This works fine in a closed environment where the applications can be controlled. However in a mixed user/application environment the result is that your security is only as good as your weakest application. One common limitation of this approach involves the method of authentication when the network is public and not restricted to a limited set of users. A common problem in the case of a simple user ID and password configuration for an application over a multi-user network like the internet is that there is no strong method for authenticating the user and the provider. If the user ID and password is compromised one has no way of telling the real user from a fraudulent one. This is the case with the many phishing scams seen on the Internet today. By including mutual authentication or multi factor authentication with the other elements described above one can solve this problem for all networked applications and/or devices and users. Today there is no solution that implements comprehensive security as a prerequisite to establishing a network initiated activity that is transparent to the application(s) using the Network.
The result is that currently there is no method to accomplish all of these security elements where they are implemented and enforced in a consistent manner independent of the network transport provider and/or applications attached to the network where each participant can maintain secure control of their services independent of others on the network.
A need exists for a network solution that addresses the shortcomings in the current commonly accepted implementation models for security for applications that run over any OSI based network infrastructure at both the network and application layers.
A need exists where all of the critical elements needed to support a basic business contract are embedded elements of the network. These embedded elements of the network address the flaws discussed previously by applying an infrastructure layer that is based on absolute security, not optimistic security, and provides a minimum consistent implementation for all participants, applications, and activities on the network.
By integrating comprehensive security and reporting elements across the OSI stack into a virtual secure network offering one can arrive at a low cost, secure, multifunction, broad reach network solution that addresses all of the elements needed to support a basic business contract on a shared multifunction network infrastructure that is currently not attainable with today's approaches.